a pam configuration for the services that should use the fingerprint reader, e.g. the login in the text console or in the graphical display manager. And of course you need to collect fingerprints of the users that should be able to use the reader for authentication. If no sample fingerprints are found or if they do not match, the system falls back to using passwords.

BioAPI framework

Just installe the downloaded .deb file with

dpkg -i bioapi_1.2.3_i386.deb

Ignore the warning about not finding /usr/lib/libqtpwbsp.so, it's not fatal.

UPEK Fingerprint BSP

The software comes in a zip file, so

apt-get install unzip

if you haven't got it installed already. Then create a new directory and change into it, then unpack and install the driver:

Enrolling users and PAM configuration

Since the BioAPI framework could work with various biometric devices each and every one of them has a unique serial number (a long hexadecimal number) called Module ID. The process of gathering sample fingerprints and the PAM configuration both need the Module ID of your fingerprint reader. You can print the ID in the needed format with the following rather ugly command:

The result, in my case {5550454b-2054-464d-2f45-535320425350} (check if your ID differs and change accordingly in the following steps), is needed in several places. First create a directory in /etc/bioapi1.10/pam with that name, e.g. with

mkdir -p /etc/bioapi1.10/pam/{5550454b-2054-464d-2f45-535320425350}

Into that directory the files containing the sample fingerprints (one file per user, with .bir as extension) need to be copied. Creating these files is done using the Sample program that comes with the UPEK software (in the NonGUI_Sample subdirectory), which needs to be made executable first. Then run it (from the current directory with ./Sample), choose "enroll"
and enter a valid username. You'll then be prompted to collect 3
fingerprints. Once you're done, choose "quit" and look into the current
directory. It should contain a .bir-file for the username you just
entered. Copy that file into the directory created in the last step. E.g. for the user spiney:

The next and final step is to configure services to use the pam_bioapi module as authentication source. For each PAM-aware service there's a configuration file in /etc/pam.d/ plus the fallback configuration file called common-auth which you could use to enable the reader system-wide. I just enabled it for gdm (the Gnome Display Manager, i.e. the graphical login) and login (for the text consoles) by adding the following line before the line with @include common-auth:

Either set to permissions on both to world read/writeable (pass 666 to chmod, probably ok security-wise since notebooks are single user systems in most cases) or assign a special group to them and give it write permission, and then add all users that should be able to use the fingerprint reader to that group. In my case I used the group adm, because my normal user was already member in it (I do like to read log files without changing to root). So I did the following

Since you have to set the permissions on the proc entry every time you boot (or come back from suspend/hibernation), it's best to put the last three lines into some shell script that gets run every time you boot.

Now also non-root users can use the fingerprint reader. The only application at the moment that comes to mind and is PAM-capable is xscreensaver. It needs a patch from http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff by Josef Hajas so that you are first asked to swipe your finger and it falls only back to password authentication when that fails. You can either get the source code from the xscreensaver website, but if you run Debian sid you can also download my patched xscreensaver package (built from the current source from Debian via apt-get source) which is attached below. I'll try to keep them updated whenever there's a new version in Debian until the patch makes it into the xscreensaver source code upstream. But I disclaim all warranties regarding that package, so beware!

to your ~/.xscreensaver configuration file, restart xscreensaver and you're set. Lock the screen, press a key and there should be the window telling you to swipe your finger over the reader.

Again, if it doesn't work, take a look into /var/log/auth.log and check those file permissions.

New patch for xscreensaver

Since the original patch was sometimes confusing to the user (see Brice Goglin's comment below) I tried to come up with a different approach: use a different PAM configuration for xscreensaver when using the alternativeAuth option.

Below is the patch (xscreensaver-4.23_fingerprint.patch) and also an updated version of the package for Debian sid (xscreensaver_4.23-3fingerprint_i386.deb). To use it, follow the instructions above, but instead of modifying /etc/pam.d/xscreensaver (if you did already, remove the bioapi line again), create a new file /etc/pam.d/xscreensaver-alternative with the following content:

Sections:

Comments

Thank you for this page. I got xscreensaver's locking to work with the fingerprint.

But I would like to understand/fix how it reverts to password when fingerprint's authentication fails 3 times: It asks for the password. But, if I enter the right password, I get asked for fingerprint again before I finally exit xscreensaver's locking (even if I fail the fingerprint authentication again).

I tried to tweak in my pamd.d/xscreensaver but wasn't able to fix it. Any idea ?

is far from perfect I guess, so it's a matter that has to be solved in the xscreensaver source code. If I happen to find time during the holidays, I might take a look and try to come up with an updated patch.

But it can't be solved by twiddling around with the PAM configuration, that's for sure.

hello,reading at all the talks, it seems that xscreensaver first authenticate using the fingerprint scanner then if it fails, it will authenticate via password.. mine is the other way around, it will authenticate via password first then when i press enter system will ask me for finger.

why is that so? i can't get it... i followed all in here http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Make_xscreensaver_use_the_scanner and its successful but y is it my xscreensaver is authenticating by password first instead of fingerprint?

the script in common-auth are same with the how to in thinkwiki page.
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

at first, when i havent installed xscreensaver with pam the config was:
auth include common-auth
account include common-account
password include common-password
session include common-session

then when i install the xscreensaver with pam the config turns to:
auth include common-auth

it seems to me that my common-auth pam is fine but y is it that password is being asked first before fingerprint?

huh?! :O the .xscreensaver cant be found in /home// folder. :?
that's why i can't see if the alternativeAuth: True exists :?
when it was generated? can u tell me exactlly on how to get this file?

one more thing, i think the patch doesnt work for me.. i mean in the forums i have read that tweakling the pam configurations is not the answer. the right thing to do is the patch (i forgot the URL..sorry) i am using the latest xscreensaver found in the http://www.jwz.org/xscreensaver/ which is xscreensaver24 and ur patch below(not for debian coz im using suse). i dont know how patch works but can u please help me have a patch that will authenticate first by fingerprint then if failed, password prompt..
please help..im going crazy... :?

.xscreensaver is found in /home/<username>/.xscreensaver, as in the home directory of your user (I forgot to escape the special html characters in my last comment and of course I didn't catch that in the preview).

About the patch: you have to extract the source code, "cd" into the resulting directory and run

patch -p1 < /path/to/the/fingerprint.patch

Afterwards you have to install the software as described in the README file that comes with it. But the patch will probably not apply cleanly to version 4.24, and I haven't had time to update it, so use 4.23 instead.

And about your pam config files: first of all, don't put lines starting with "password" in common-"auth", that file is meant for pam authentication modules (hence the name). Otherwise they don't look totally wrong, but I'm just guessing, since I can't quite tell which file is which from your comment.

tnx for evrythn but still it doesnt work. password dialog box appears first before fingerprint window. i used xscreensaver4.23 and ur patch which seems workin coz i studied it manually. everytngs seems fine and i can see the .xscreensaver configuration file in my home folder,
then i put alternativeAuth: True

and made a xscreensaver-alternative file in /etc/pam.d, and on that file i solely put
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-35320425350} /etc/bioapi/pam

but still after xscreensaver, then if i make any move (keypress or mouseclick) password dialog box appears first before fingerprint window.

is there someting that i missed??? :?
what could be the wrong thing that im doin????:?:?:?pls help.im depending on u.:(

If I make the command BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}", I get the following ID :
{5550454b-2054-464d-2f45-535320425350}
which seems to be the same as everyone ....

My problem is that Sample only asks me for password
and not for fingerprints. (I also tried to recompile it, but apparently
it relies on an older version of bioapi with incude/port/... file
which does not exist in 1.2.3.) Is it normal that it says 0x0 as
Device Id? I enclose $(Sample) and $(lsusb) below;
I am running kernel 2.6.16.27 on IBM T43 with Debian etch.

I don't know why the Sample proggy asks you for a passwd.
I was googling around and found out, that you should compile
the bioapi with qt support. Then you will have a QSample
witch will let you do an enrollment....don't ask why this doesn't
work with Sample.......hmmm

I had the same problem with Sample.....switched to QSample
and am now having the "BioAPI_ModuleLoad failed, BioAPI Error Code: 6477 (0x194d)"
problem....

I had the same problem - after .deb install, running Sample prompts for password, but not fingerprints. I solved it by following instructions from http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Installing_and_configuring_the_driver:

In the main.c of bioapi u have #define PASSWORD_BSP 1. this definition force the code to use password bsp. if u change 1 per 2. u will obtain the same error... what is ti the solution for this error?... i don't know...yet

i can enrole the users using the sample program and i copied the database over and tried changing the permissions. im running ubuntu 6.10 on t43p, but gdm doesnt seem to be able to open the database?!?

Hi,
I am facing the same problem
BioAPI_ModuleLoad failed, BioAPI Error Code: 6477 (0x194d).
I have tried to solve the issue by uncommenting the line
//BioAPI_SetGUICallbacks(gModuleHandle, NULL, NULL,TextGuiCallback, NULL);
but the same error occurs.

I managed to enroll a finger print with the Sample program, and that much works well. However, after adding the lines to the files to /etc/pam.d/login or /etc/pam.d/gdm, for example, I always get this error in /var/log/auth.log after typing in a username at the login prompts. I am never prompted to swipe my finger, and doing so yields no result at the password prompt. Any ideas?

I have a problem with enrolling.
"Sample" work corrent, I choose "enroll" and enter ID, window to enroll pop out, but after that Sample hang. It use 100% of CPU. What is wrong? Interesting thing is that if I enroll just after enter username it is possible to enroll three times befor sample hang.
Sorry for my English.

This page has proven very helpful—much easier to understand than the thinkwiki page—but I still haven't managed to get my fingerprint reader to work. I now get as far as the 'swipe finger' GUI prompt, but when I swipe my finger, nothing happens. This is on a ThinkPad X60s running Ubuntu Intrepid.

I've pretty much followed the steps on this page but I compiled the main.c TFMESS_BSP_LIN_1.0 by hand. (When I didn't, Sample didn't recognise my username and password.) (One other thing that was odd was that the TFMESS_BSP_LIN_1.0.zip I downloaded contained three more zip files, two for FreeBSD and a third one for Linux by the same name.) I also used sudo pretty much every step on the way; I prefer not to log in a root.